File name:

rust-stealer-xss.exe

Full analysis: https://app.any.run/tasks/6b606f4c-8048-4a30-828b-39302c3a4b9e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 24, 2025, 18:41:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
rust
rustystealer
stealer
antivm
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

C4A91BAA7EEBC3F856BA50D20F6CCFD5

SHA1:

4E2C61AA9BA4BB96638FA0D81FF22D4A4A446DE3

SHA256:

8AC509A776A326180877DC44636081E21F58C89431477EF2A38DB10AD6BD15D1

SSDEEP:

98304:yl89K7w8sPbnkPpkM/3Q4ge+z9t2+8VQgexrm5Mx0n34e30fEW1WsTp4PbBqU1XA:9C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RUSTYSTEALER has been detected (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • Actions looks like stealing of personal data

      • rust-stealer-xss.exe (PID: 4428)

    • Steals credentials from Web Browsers

      • rust-stealer-xss.exe (PID: 4428)

  • SUSPICIOUS

    • The process hides Powershell's copyright startup banner

      • rust-stealer-xss.exe (PID: 4428)

    • Starts POWERSHELL.EXE for commands execution

      • rust-stealer-xss.exe (PID: 4428)

    • The process hide an interactive prompt from the user

      • rust-stealer-xss.exe (PID: 4428)

    • The process bypasses the loading of PowerShell profile settings

      • rust-stealer-xss.exe (PID: 4428)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • There is functionality for taking screenshot (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • There is functionality for VM detection VirtualBox (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • There is functionality for VM detection VMWare (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • rust-stealer-xss.exe (PID: 4428)

  • INFO

    • Checks proxy server information

      • rust-stealer-xss.exe (PID: 4428)

    • Checks supported languages

      • rust-stealer-xss.exe (PID: 4428)

    • Reads the computer name

      • rust-stealer-xss.exe (PID: 4428)

    • Create files in a temporary directory

      • rust-stealer-xss.exe (PID: 4428)

    • Application based on Rust

      • rust-stealer-xss.exe (PID: 4428)

    • Creates files or folders in the user directory

      • rust-stealer-xss.exe (PID: 4428)

    • Reads the software policy settings

      • rust-stealer-xss.exe (PID: 4428)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:24 18:40:54+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 3153920
InitializedDataSize: 1192960
UninitializedDataSize: -
EntryPoint: 0x2f5d51
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RUSTYSTEALER rust-stealer-xss.exe svchost.exe powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4428"C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe" C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rust-stealer-xss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
5548"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7276C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7308"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 907
Read events
4 907
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
5548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sno5uujk.iby.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nt4xadbz.g4p.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4428rust-stealer-xss.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Cookiesbinary
MD5:46D9FCA6032297F8AEE08D73418312BA
SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Historybinary
MD5:0B2213BCE3950F1E95FEEB8E8B3B9543
SHA256:71DB3D87713A320BA9FD3043392509B430630CFCF574EE84118406D6471CFC5A
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Login Databinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
5548powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:6432C76D07FDFC6A124969CF97CFEF92
SHA256:2480C3E83DC909707E16C00094CC7BB2DA2B7D4FAE4E62FCEF1990C227050186
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\g8k2pvzuN5T2yQghO1ScOph43lyWA7\screen1.pngbinary
MD5:ED7D6DE5545E4C9A51BF59E234F627D7
SHA256:51B9C23D7DCF1B96593F351D2FD34CD3945E2EFDB039A7B22C8D37E271DCB827
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\sensitive-files.zipcompressed
MD5:268577F01687A253C8AD19ED91234D42
SHA256:5D17C36AE0EF0E5E0EF6EB63792343E22E2168EC36D125564D834D44FEE289A9
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\g8k2pvzuN5T2yQghO1ScOph43lyWA7\sensitive-files.zipcompressed
MD5:268577F01687A253C8AD19ED91234D42
SHA256:5D17C36AE0EF0E5E0EF6EB63792343E22E2168EC36D125564D834D44FEE289A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
15
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7856
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
23.55.236.70:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4428
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
7856
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.55.236.70:80
crl.microsoft.com
AKAMAI-AS
US
whitelisted
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4428
rust-stealer-xss.exe
195.201.57.90:80
ipwho.is
Hetzner Online GmbH
DE
malicious
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4428
rust-stealer-xss.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.55.236.70
  • 23.55.236.72
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 23.215.121.133
  • 2.16.253.202
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ipwho.is
  • 195.201.57.90
malicious
login.live.com
  • 40.126.31.128
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.73
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.64
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4428
rust-stealer-xss.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4428
rust-stealer-xss.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rust-stealer-xss.exe